aligent · AdamJHall · Mar 18, 2026 · Mar 18, 2026 · Mar 18, 2026 · Mar 18, 2026
@@ -0,0 +1,6 @@
+paths:
+  # CST_REPORTING_TOKEN is an org-level secret — not declared in the workflow
+  # but valid at runtime. actionlint cannot see org-level secrets.
+  ".github/workflows/magento-cloud-deploy.yml":
+    ignore:
+      - 'property "cst_reporting_token" is not defined'
@@ -23,7 +23,7 @@ runs:
     - id: check-script
       shell: bash
       run: |
-        cmd="${{ inputs.command }}"
+        cmd="${INPUTS_COMMAND}"
 
         # Check root package.json scripts
         if jq -e --arg cmd "$cmd" '.scripts[$cmd]' package.json > /dev/null 2>&1; then
@@ -58,7 +58,8 @@ runs:
         if [ -f "pnpm-workspace.yaml" ]; then
           # Extract package paths from YAML list items, stripping optional quotes
           # Matches: "  - packages/*", "  - 'apps/*'", '  - "libs/*"' -> packages/*, apps/*, libs/*
-          pnpm_packages=$(grep -E '^\s*-\s+' pnpm-workspace.yaml | sed "s/.*-\s*['\"]\\{0,1\\}\([^'\"]*\\)['\"]\\{0,1\\}/\1/" 2>/dev/null)
+          pnpm_packages=$(grep -E '^\s*-\s+' pnpm-workspace.yaml \
+            | sed "s/.*-\s*['\"]\\{0,1\\}\([^'\"]*\\)['\"]\\{0,1\\}/\1/" 2>/dev/null)
           for pattern in $pnpm_packages; do
             for pkg_dir in $pattern; do
               if [ -f "$pkg_dir/package.json" ]; then
@@ -72,11 +73,13 @@ runs:
         fi
 
         echo "exists=false" >> $GITHUB_OUTPUT
+      env:
+        INPUTS_COMMAND: ${{ inputs.command }}
 
     - id: check-nx
       shell: bash
       run: |
-        cmd="${{ inputs.command }}"
+        cmd="${INPUTS_COMMAND}"
 
         # Check Nx targets if this is an Nx workspace
         if [ -f "nx.json" ]; then
@@ -86,4 +89,6 @@ runs:
           fi
         fi
 
-        echo "exists=false" >> $GITHUB_OUTPUT
+        echo "exists=false" >> $GITHUB_OUTPUT
+      env:
+        INPUTS_COMMAND: ${{ inputs.command }}
@@ -17,15 +17,15 @@ runs:
   using: composite
   steps:
     - id: add-matchers
-      uses: aligent/workflows/.github/actions/node-problem-matchers@main
+      uses: aligent/workflows/.github/actions/node-problem-matchers@main # zizmor: ignore[unpinned-uses] trusted source
     - id: run
       shell: bash
       run: |
         debug=${{ inputs.debug == 'true' && '--verbose' || '' }}
-        pm=${{ inputs.package-manager }}
+        pm=${INPUTS_PACKAGE_MANAGER}
 
         # Parse JSON array of commands
-        readarray -t commands < <(echo '${{ inputs.commands }}' | jq -r '.[]')
+        readarray -t commands < <(echo '${INPUTS_COMMANDS}' | jq -r '.[]')
 
         if [ ${#commands[@]} -gt 0 ]; then
           # Build the full command strings
@@ -39,8 +39,11 @@ runs:
         else
           echo "No commands to run"
         fi
+      env:
+        INPUTS_PACKAGE_MANAGER: ${{ inputs.package-manager }}
+        INPUTS_COMMANDS: ${{ inputs.commands }}
     - id: remove-matchers
       if: always()
-      uses: aligent/workflows/.github/actions/node-problem-matchers@main
+      uses: aligent/workflows/.github/actions/node-problem-matchers@main # zizmor: ignore[unpinned-uses] trusted source
       with:
         action: remove
@@ -4,3 +4,5 @@ updates:
     directory: "/"
     schedule:
       interval: "weekly"
+    cooldown:
+      default-days: 7
@@ -96,7 +96,9 @@ jobs:
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+        with:
+          persist-credentials: false
 
       - name: Cache Maven packages
         if: ${{ !env.ACT }}  # Skip when running with act locally
@@ -131,7 +133,9 @@ jobs:
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+        with:
+          persist-credentials: false
 
       - name: Cache Maven packages
         if: ${{ !env.ACT }}  # Skip when running with act locally
@@ -165,9 +169,10 @@ jobs:
 
     steps:
       - name: Checkout code with full history
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
         with:
           fetch-depth: 0
+          persist-credentials: false
 
       - name: Configure Git
         run: |
@@ -193,11 +198,11 @@ jobs:
 
           # Determine branch name
           if [ -n "$REMOTE_BRANCH" ]; then
-            BRANCH="${{ github.ref_name }}:${REMOTE_BRANCH}"
-            echo "📋 Pushing '${{ github.ref_name }}' to Cloud Manager branch '${REMOTE_BRANCH}'"
+            BRANCH="${GITHUB_REF_NAME}:${REMOTE_BRANCH}"
+            echo "📋 Pushing '${GITHUB_REF_NAME}' to Cloud Manager branch '${REMOTE_BRANCH}'"
           else
-            BRANCH="${{ github.ref_name }}"
-            echo "📋 Pushing '${{ github.ref_name }}' to Cloud Manager"
+            BRANCH="${GITHUB_REF_NAME}"
+            echo "📋 Pushing '${GITHUB_REF_NAME}' to Cloud Manager"
           fi
 
           # Push to Cloud Manager
@@ -215,16 +220,16 @@ jobs:
           echo "" >> $GITHUB_STEP_SUMMARY
           echo "| Property | Value |" >> $GITHUB_STEP_SUMMARY
           echo "|----------|-------|" >> $GITHUB_STEP_SUMMARY
-          echo "| **Source Branch** | ${{ github.ref_name }} |" >> $GITHUB_STEP_SUMMARY
+          echo "| **Source Branch** | ${GITHUB_REF_NAME} |" >> $GITHUB_STEP_SUMMARY
 
           if [ -n "$REMOTE_BRANCH" ]; then
             echo "| **Target Branch** | ${REMOTE_BRANCH} |" >> $GITHUB_STEP_SUMMARY
           else
-            echo "| **Target Branch** | ${{ github.ref_name }} |" >> $GITHUB_STEP_SUMMARY
+            echo "| **Target Branch** | ${GITHUB_REF_NAME} |" >> $GITHUB_STEP_SUMMARY
           fi
 
           echo "| **Git Commit** | ${{ github.sha }} |" >> $GITHUB_STEP_SUMMARY
-          echo "| **Triggered By** | ${{ github.actor }} |" >> $GITHUB_STEP_SUMMARY
+          echo "| **Triggered By** | ${GITHUB_ACTOR} |" >> $GITHUB_STEP_SUMMARY
           echo "" >> $GITHUB_STEP_SUMMARY
           echo "### ✅ Sync Complete" >> $GITHUB_STEP_SUMMARY
           echo "Your AEM project has been successfully synced to Cloud Manager." >> $GITHUB_STEP_SUMMARY